INTERNET-DRAFT Matthew Hur
draft-ietf-cat-kerberos-pk-cross-08.txt Cisco Systems
Updates: RFC 1510 Brian Tung
November 8, 2001 (Expires May 8, 2001) Tatyana Ryutov
Clifford Neuman
ISI
Ari Medvinsky
Liberate
Gene Tsudik
UC Irvine
Bill Sommerfeld
Sun Microsystems
Public Key Cryptography for Cross-Realm Authentication in Kerberos
0. Status Of this Memo
This document is an Internet-Draft and is in full conformance with
all provisions of Section 10 of RFC 2026. Internet-Drafts are
working documents of the Internet Engineering Task Force (IETF),
its areas, and its working groups. Note that other groups may
also distribute working documents as Internet-Drafts.
Internet-Drafts are draft documents valid for a maximum of six
months and may be updated, replaced, or obsoleted by other
documents at any time. It is inappropriate to use Internet-Drafts
as reference material or to cite them other than as ``work in
progress.''
To learn the current status of any Internet-Draft, please check
the ``1id-abstracts.txt'' listing contained in the Internet-Drafts
Shadow Directories on ftp.ietf.org (US East Coast),
nic.nordu.net (Europe), ftp.isi.edu (US West Coast), or
munnari.oz.au (Pacific Rim).
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/1id-abstracts.html
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html
The distribution of this memo is unlimited. It is filed as
draft-ietf-cat-kerberos-pk-cross-07.txt, and expires May 15, 2001.
Please send comments to the authors.
1. Abstract
This document defines extensions to the Kerberos protocol
specification [KERB] to provide a method for using public key
cryptography to enable cross-realm authentication. The methods
defined here specify the way in which message exchanges are to be
used to transport cross-realm secret keys protected by encryption
under public keys certified as belonging to KDCs.
2. Introduction
Symmetric and asymmetric key systems may co-exist within hybrid
architectures in order to leverage the advantages and mitigiate
issues within the respective systems. An example of a hybrid
solution that may employ both symmetric and asymmetric technologies
is Kerberos ciphersuires in TLS [KERBTLS] which utilizes the
Kerberos protocol [KERB] [KERB94] in conjunction with TLS [TLS]
which has commonly been thought of as a public key protocol.
The Kerberos can leverage the advantages provided by public key
cryptography. PKINIT [PKINIT] describes the use of public key
cryptography in the initial authentication exchange in Kerberos.
PKTAPP [PKTAPP] describes how an application service can essentially
issue a kerberos ticket to itself after utilizing public key
cryptography for authentication. This specification describes the
use of public key crpytography in cross-realm authentication.
Without the use of public key cryptography, administrators must
maintain separate keys for every realm which wishes to exchange
authentication information with another realm (which implies n(n-1)
keys), or they must utilize a hierachichal arrangement of realms,
which may increase network traffic and complicate the trust model by
requiring evaluation of transited realms.
Even with the multi-hop cross-realm authentication, there must be
some way to locate the path by which separate realms are to be
transited. The current method, which makes use of the DNS-like
realm names typical to Kerberos, requires trust of the intermediate
KDCs.
PKCROSS utilizes a public key infrastructure (PKI) [X509] to
simplify the administrative burden of maintaining cross-realm keys.
Such usage leverages a PKI for a non-centrally-administratable
environment (namely, inter-realm). Thus, a shared key for cross-
realm authentication can be established for a set period of time,
and a remote realm is able to issue policy information that is
returned to itself when a client requests cross-realm
authentication. Such policy information may be in the form of
restrictions [NEUMAN]. Furthermore, these methods are transparent
to the client; therefore, only the KDCs need to be modified to use
them. In this way, we take advantage of the the distributed trust
management capabilities of public key crypography while maintaining
the advantages of localized trust management provided by Kerberos.
Although this specification utilizes the protocol specfied in the
PKINIT specification, it is not necessary to implement client
changes in order to make use of the changes in this document.
3. Objectives
The objectives of this specification are as follows:
1. Simplify the administration required to establish Kerberos
cross-realm keys.
2. Avoid modification of clients and application servers.
3. Allow remote KDC to control its policy on cross-realm
keys shared between KDCs, and on cross-realm tickets
presented by clients.
4. Remove any need for KDCs to maintain state about keys
shared with other KDCs.
5. Leverage the work done for PKINIT to provide the public key
protocol for establishing symmetric cross realm keys.
4. Definitions
The following notation is used throughout this specification:
KDC_l ........... local KDC
KDC_r ........... remote KDC
XTKT_(l,r) ...... PKCROSS ticket that the remote KDC issues to the
local KDC
TGT_(c,r) ....... cross-realm TGT that the local KDC issues to the
client for presentation to the remote KDC
This specification defines the following new types to be added to
the Kerberos specification:
PKCROSS kdc-options field in the AS_REQ is bit 9
TE-TYPE-PKCROSS-KDC 2
TE-TYPE-PKCROSS-CLIENT 3
This specification defines the following ASN.1 type for conveying
policy information:
CrossRealmTktData ::= SEQUENCE OF TypedData
This specification defines the following types for policy
information conveyed in CrossRealmTktData:
PLC_LIFETIME 1
PLC_SET_TKT_FLAGS 2
PLC_NOSET_TKT_FLAGS 3
TicketExtensions are defined per the Kerberos specification
[KERB-REV]:
TicketExtensions ::= SEQUENCE OF TypedData
Where
TypedData ::= SEQUENCE {
data-type[0] INTEGER,
data-value[1] OCTET STRING OPTIONAL
}
5. Protocol Specification
We assume that the client has already obtained a TGT. To perform
cross-realm authentication, the client does exactly what it does
with ordinary (i.e. non-public-key-enabled) Kerberos; the only
changes are in the KDC; although the ticket which the client
forwards to the remote realm may be changed. This is acceptable
since the client treats the ticket as opaque.
5.1. Overview of Protocol
The basic operation of the PKCROSS protocol is as follows:
1. The client submits a request to the local KDC for
credentials for the remote realm. This is just a typical
cross realm request that may occur with or without PKCROSS.
2. The local KDC submits a PKINIT request to the remote KDC to
obtain a "special" PKCROSS ticket. This is a standard
PKINIT request, except that PKCROSS flag (bit 9) is set in
the kdc-options field in the AS_REQ. Note that the service
name in the request is for pkcross/realm@REALM instead of
krbtgt/realm@REALM.
3. The remote KDC responds as per PKINIT, except that
the ticket contains a TicketExtension, which contains
policy information such as lifetime of cross realm tickets
issued by KDC_l to a client. The local KDC must reflect
this policy information in the credentials it forwards to
the client. Call this ticket XTKT_(l,r) to indicate that
this ticket is used to authenticate the local KDC to the
remote KDC.
4. The local KDC passes a ticket, TGT_(c,r) (the cross realm
TGT between the client and remote KDC), to the client.
This ticket contains in its TicketExtension field the
ticket, XTKT_(l,r), which contains the cross-realm key.
The TGT_(c,r) ticket is encrypted using the key sealed in
XTKT_(l,r). (The TicketExtension field is not encrypted.)
The local KDC may optionally include another TicketExtension
type that indicates the hostname and/or IP address for the
remote KDC.
5. The client submits the request directly to the remote
KDC, as before.
6. The remote KDC extracts XTKT_(l,r) from the TicketExtension
in order to decrypt the encrypted part of TGT_(c,r).
--------------------------------------------------------------------
Client Local KDC (KDC_l) Remote KDC (KDC_r)
------ ----------------- ------------------
Normal Kerberos
request for
cross-realm
ticket for KDC_r
---------------------->
PKINIT request for
XTKT(l,r) - PKCROSS flag
set in the AS-REQ
* ------------------------->
PKINIT reply with
XTKT_(l,r) and
policy info in
ticket extension
<-------------------------- *
Normal Kerberos reply
with TGT_(c,r) and
XTKT(l,r) in ticket
extension
<---------------------------------
Normal Kerberos
cross-realm TGS-REQ
for remote
application
service with
TGT_(c,r) and
XTKT(l,r) in ticket
extension
------------------------------------------------->
Normal Kerberos
cross-realm
TGS-REP
<---------------------------------------------------------------
* Note that the KDC to KDC messages occur only periodically, since
the local KDC caches the XTKT_(l,r).
--------------------------------------------------------------------
Sections 5.2 through 5.4 describe in detail steps 2 through 4
above. Section 5.6 describes the conditions under which steps
2 and 3 may be skipped.
Note that the mechanism presented above requires infrequent KDC to
KDC communication (as dictated by policy - this is discussed
later). Without such an exchange, there are the following issues:
1) KDC_l would have to issue a ticket with the expectation that
KDC_r will accept it.
2) In the message that the client sends to KDC_r, KDC_l would have
to authenticate KDC_r with credentials that KDC_r trusts.
3) There is no way for KDC_r to convey policy information to KDC_l.
4) If, based on local policy, KDC_r does not accept a ticket from
KDC_l, then the client gets stuck in the middle. To address such
an issue would require modifications to standard client
processing behavior.
Therefore, the infreqeunt use of KDC to KDC communication assures
that inter-realm KDC keys may be established in accordance with local
policies and that clients may continue to operate without
modification.
5.2. Local KDC's Request to Remote KDC
When the local KDC receives a request for cross-realm
authentication, it first checks its ticket cache to see if it has a
valid PKCROSS ticket, XTKT_(l,r). If it has a valid XTKT_(l,r),
then it does not need to send a request to the remote KDC (see
section 5.5).
If the local KDC does not have a valid XTKT_(l,r), it sends a
request to the remote KDC (for pkcross/realm@REALM) in order to
establish a cross realm key and obtain the XTKT_(l,r). This request
is in fact a PKINIT request as described in the PKINIT specification;
i.e., it consists of an AS-REQ with a PA-PK-AS-REQ included as a
preauthentication field. Note, that the AS-REQ MUST have the PKCROSS
flag (bit 9) set in the kdc_options field of the AS-REQ. Otherwise,
this exchange exactly follows the description given in the PKINIT
specification.
5.3. Remote KDC's Response to Local KDC
When the remote KDC receives the PKINIT/PKCROSS request from the
local KDC, it sends back a PKINIT response as described in
the PKINIT specification with the following exception: the encrypted
part of the Kerberos ticket is not encrypted with the krbtgt key;
instead, it is encrypted with the ticket granting server's PKCROSS
key. This key, rather than the krbtgt key, is used because it
encrypts a ticket used for verifying a cross realm request rather
than for issuing an application service ticket. This is the reason
that the name pkcross/realm@REALM is used instead of
krbtgt/realm@REALM. Note that, as a matter of policy, the session
key for the XTKT_(l,r) MAY be of greater strength than that of a
session key for a normal PKINIT reply, since the XTKT_(l,r) SHOULD
be much longer lived than a normal application service ticket.
In addition, the remote KDC SHOULD include policy information in the
XTKT_(l,r). This policy information would then be reflected in the
cross-realm TGT, TGT_(c,r). Otherwise, the policy for TGT_(c,r)
would be dictated by KDC_l rather than by KDC_r. The local KDC MAY
enforce a more restrictive local policy when creating a cross-realm
ticket, TGT_(c,r). For example, KDC_r may dictate a lifetime
policy of eight hours, but KDC_l may create TKT_(c,r) with a
lifetime of four hours, as dictated by local policy. Also, the
remote KDC MAY include other information about itself along with the
PKCROSS ticket. These items are further discussed in section 6
below.
5.4. Local KDC's Response to Client
Upon receipt of the PKINIT/CROSS response from the remote KDC,
the local KDC formulates a response to the client. This reply
is constructed exactly as in the Kerberos specification, except
for the following:
A) The local KDC places XTKT_(l,r) in the TicketExtension field of
the client's cross-realm, ticket, TGT_(c,r), for the remote
realm.
Where
data-type equals 3 for TE-TYPE-PKCROSS-CLIENT
data-value is ASN.1 encoding of XTKT_(l,r)
B) The local KDC adds the name of its CA to the transited field of
TGT_(c,r).
5.5 Remote KDC's Processing of Client Request
When the remote KDC, KDC_r, receives a cross-realm ticket,
TGT_(c,r), and it detects that the ticket contains a ticket
extension of type TE-TYPE-PKCROSS-CLIENT, KDC_r must first decrypt
the ticket, XTKT_(l,r), that is encoded in the ticket extension.
KDC_r uses its PKCROSS key in order to decrypt XTKT_(l,r). KDC_r
then uses the key obtained from XTKT_(l,r) in order to decrypt the
cross-realm ticket, TGT_(c,r).
KDC_r MUST verify that the cross-realm ticket, TGT_(c,r) is in
compliance with any policy information contained in XTKT_(l,r) (see
section 6). If the TGT_(c,r) is not in compliance with policy, then
the KDC_r responds to the client with a KRB-ERROR message of type
KDC_ERR_POLICY.
5.6. Short-Circuiting the KDC-to-KDC Exchange
As we described earlier, the KDC to KDC exchange is required only
for establishing a symmetric, inter-realm key. Once this key is
established (via the PKINIT exchange), no KDC to KDC communication
is required until that key needs to be renewed. This section
describes the circumstances under which the KDC to KDC exchange
described in Sections 5.2 and 5.3 may be skipped.
The local KDC has a known lifetime for TGT_(c,r). This lifetime may
be determined by policy information included in XTKT_(l,r), and/or
it may be determined by local KDC policy. If the local KDC already
has a ticket XTKT(l,r), and the start time plus the lifetime for
TGT_(c,r) does not exceed the expiration time for XTGT_(l,r), then
the local KDC may skip the exchange with the remote KDC, and issue a
cross-realm ticket to the client as described in Section 5.4.
Since the remote KDC may change its PKCROSS key (referred to in
Section 5.2) while there are PKCROSS tickets still active, it SHOULD
cache the old PKCROSS keys until the last issued PKCROSS ticket
expires. Otherwise, the remote KDC will respond to a client with a
KRB-ERROR message of type KDC_ERR_TGT_REVOKED.
6. Extensions for the PKCROSS Ticket
As stated in section 5.3, the remote KDC SHOULD include policy
information in XTKT_(l,r). This policy information is contained in
a TicketExtension, as defined by the Kerberos specification, and the
authorization data of the ticket will contain an authorization
record of type AD-IN-Ticket-Extensions. The TicketExtension defined
for use by PKCROSS is TE-TYPE-PKCROSS-KDC.
Where
data-type equals 2 for TE-TYPE-PKCROSS-KDC
data-value is ASN.1 encoding of CrossRealmTktData
CrossRealmTktData ::= SEQUENCE OF TypedData
------------------------------------------------------------------
CrossRealmTktData types and the corresponding data are interpreted
as follows:
ASN.1 data
type value interpretation encoding
---------------- ----- -------------- ----------
PLC_LIFETIME 1 lifetime (in seconds) INTEGER
for TGT_(c,r)
- cross-realm tickets
issued for clients by
TGT_l
PLC_SET_TKT_FLAGS 2 TicketFlags that must BITSTRING
be set
- format defined by
Kerberos specification
PLC_NOSET_TKT_FLAGS 3 TicketFlags that must BITSTRING
not be set
- format defined by
Kerberos specification
Further types may be added to this table.
------------------------------------------------------------------
7. Usage of Certificates
In the cases of PKINIT and PKCROSS, the trust in a certification
authority is equivalent to Kerberos cross realm trust. For this
reason, an implementation MAY choose to use the same KDC certificate
when the KDC is acting in any of the following three roles:
1) KDC is authenticating clients via PKINIT
2) KDC is authenticating another KDC for PKCROSS
3) KDC is the client in a PKCROSS exchange with another KDC
Note that per PKINIT, the KDC X.509 certificate (the server in a
PKINIT exchange) MUST contain the principal name of the KDC in the
subjectAltName field.
8. Transport Issues
Because the messages between the KDCs involve PKINIT exchanges, and
PKINIT recommends TCP as a transport mechanism (due to the length of
the messages and the likelihood that they will fragment), the same
recommendation for TCP applies to PKCROSS as well.
9. Security Considerations
Since PKCROSS utilizes PKINIT, it is subject to the same security
considerations as PKINIT. Administrators should assure adherence
to security policy - for example, this affects the PKCROSS policies
for cross realm key lifetime and for policy propogation from the
PKCROSS ticket, issued from a remote KDC to a local KDC, to
cross realm tickets that are issued by a local KDC to a client.
10. Bibliography
[KERBTLS] A. Medvinsky and M. Hur, "Addition of Kerberos Cipher
Suites to Transport Layer Security (TLS)", RFC 2712,
October 1999.
[KERB] J. Kohl and C. Neuman, "The Kerberos Network
Authentication Service (V5)", RFC 1510, September 1993.
[TLS] T. Dierks and C. Allen, "The TLS Protocol, Version 1.0",
RFC 2246, January 1999.
[PKINIT] B. Tung, C. Neuman, M. Hur, A. Medvinsky, S. Medvinsky,
J. Wray, J. Trostle. Public Key Cryptography for Initial
Authentication in Kerberos.
draft-ietf-cat-kerberos-pk-init-14.txt
[PKTAPP] A. Medvinsky, M. Hur, S. Medvinsky, C. Neuman.
Public Key Utilizing Tickets for Application
Servers (PKTAPP). draft-ietf-cat-kerberos-pk-tapp-03.txt
[X509] ITU-T (formerly CCITT) Information technology - Open
Systems Interconnection - The Directory: Authentication
Framework Recommendation X.509 ISO/IEC 9594-8
[NEUMAN] B.C. Neuman, "Proxy-Based Authorization and Accounting for
Distributed Systems". Proceedings of the 13th
International Conference on Distributed Computing Systems,
May 1993
[KERB94] B.C. Neuman, Theodore Ts'o. Kerberos: An Authentication
Service for Computer Networks, IEEE Communications,
32(9):33-38. September 1994.
[KERB-REV] C.Neuman, J. Kohl, T. Ts'o. The Kerberos Network
Authentication Service (V5).
draft-ietf-cat-kerberos-revisions-08.txt
11. Authors' Addresses
Matthew Hur
Cisco Systems
2901 Third Avenue
Seattle, WA 98121
Phone: +1 206 256 3197
E-Mail: mhur@cisco.com
Brian Tung
Tatyana Ryutov
Clifford Neuman
USC/Information Sciences Institute
4676 Admiralty Way Suite 1001
Marina del Rey, CA 90292-6695
Phone: +1 310 822 1511
E-Mail: {brian, tryutov, bcn}@isi.edu
Ari Medvinsky
Liberate
2 Circle Star Way
San Carlos, CA 94070-6200
Phone: +1 650 701 4000
EMail: ari@liberate.com
Gene Tsudik
ICS Dept, 458 CS Building
Irvine CA 92697-3425
Phone: +1 310 448 9329
E-Mail: gts@ics.uci.edu
Bill Sommerfeld
Sun Microsystems
E-Mail: sommerfeld@east.sun.com